Share via

Bypass MFA for specific users or groups - NPS Extension for Azure MFA

Mohit Pathak 25 Reputation points
2024-06-02T12:48:46.94+00:00

We're utilizing NPS Extension for Azure MFA in our Highly available RDS Environment (Two RDGW Machines, Two NPS Machines (with extension installed), and Two connection broker machines))

We have a requirement to exclude service accounts from getting MFA prompts when they're utilized while establishing an RDP connection. Already Tried the conditional access policy approach, But that doesn't work with the RDP connection

Please suggest a solution that we can implement

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 23,470 Reputation points Microsoft External Staff Moderator
    2024-06-04T06:14:33.1633333+00:00

    Hello @Mohit Pathak,

    Thank you for posting your query on Microsoft Q&A.

    To exclude service accounts from getting MFA prompts when they're utilized while establishing an RDP connection, you can add the following registry setting under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa:

    Value Name: REQUIRE_USER_MATCH Value Type: REG_SZ Value Data: FALSE

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa | REQUIRE_USER_MATCH | REG_SZ | FALSE

    Adding this value and setting it to FALSE allows the NPS extension to bypass secondary authentication failures for Non-MFA Enrolled users. Setting REQUIRE_USER_MATCH=FALSE skips the enrollment check which allows non-MFA Enrolled users to authenticate using Primary authentication only. This should allow service accounts to bypass MFA prompts when establishing an RDP connection.

    Please refer below article for more information.
    https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#prepare-for-users-that-arent-enrolled-for-mfa

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,
    Raja Pothuraju.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Wai-Kit Leung 20 Reputation points
    2024-09-30T14:56:07.9933333+00:00

    Hi,

    We have a similar issue, when a users sign into the the Azure VM using RDP, open any office program, need to authenticate with user credentials, followed by 3 MFA prompts/challenge inputting a code, followed by some thing went wrong 8018001C error code.

    Once the press "Done" the user is able to use office apps for the next 5 days before they have to reauthenticate again.

    MFA RDP 2024-01-18_16h53_22

    Thanks,
    Wai-Kit

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.